Security researcher Stefan Viehböck has demonstrated a critical flaw in the Wi-Fi Protected standard that opens up routers to attack and has prompted a US-CERT Vulnerability notice.
Wi-Fi Protected Setup (WPS) is used to secure access to wireless networks and requires each router to have a unique eight-digit PIN. One mode of use …

For the mathematically curious...

First off, you send PIN association packets to the Wi-Fi router, starting with

-- -- "0000 0000" (space added between quads for clarity)

and increment the upper quad by one, like so:

-- -- "0000 0000"

-- -- "0001 0000"

-- -- "0002 0000"

-- -- "0003 0000"

Each time the "probe PIN" is sent, the router replies with a message that tells the device if the upper quad (the first four digits) is incorrect. Since the upper quad is four digits long, you only need to send at most ten thousand (10^4) "probe PINs" -- from "0000 0000" to "9999 0000" -- to determine what the first four digits of the real PIN actually are.

For purposes of this discussion, we will say the correct upper quad is "4976." This presumably took us 4,977 guesses, if we started at "0000 0000," and tested the upper quad sequentially.

Once you know the first four digits, you only need to guess the first three digits of the lower quad -- from "000" to "999," or one thousand (10^3) combinations -- to find the rest of the PIN. The last digit is deterministic, since it's calculated mathematically from the first seven digits, and used as a checksum:

-- -- "4976 000[checksum]"

-- -- "4976 001[checksum]"

-- -- "4976 002[checksum]"

-- -- "4976 003[checksum]"

Again, for purposes of discussion, we'll presume that the correct first three digits of the lower quad are "387," with the calculated checksum appended at the end.

Thus, given an upper quad of "4976" and a correct lower quad of "387[checksum]," we should be able to find our association PIN in

Cheers for that.

Oh FFS, that's terrible..

I'd always assumed WPS was broken security and disabled it wherever I find it, reasoning my long pass phrases (a whole sentence in most cases) would be far more secure and I can remember them in my head.

But this is even worse than I could have imagined! Some Kudos to Netgear for seeming to realise the vulnerability but surely after even 20+ incorrect pins in quick succession it should be blindingly obvious a brute force attack is in progress and the feature disabled for a while at least... This is some king-size fail, it's like it's 1999 and we're all using WEP again!

Worth noting that however many guesses calculated here is the maximum required, luckier tries could crack in a much shorter time.

Buh?

What on Earth were they thinking when they designed it to return a result after only half the password was sent? (An already short password at that.) That is SO stupid, there must have been some strange logic behind it. I'm thinking like the protocol used 4-digit control codes so they just fit this into the same format, or something. But regardless, it should have been really obvious that they were introducing a major weakness by doing that.

The Ken Thompson Unix back-door. Put code into the c compiler that checks to see if it's making the login command and then compiles in a back-door, then you also put in code so if you recompile the compiler, it adds the code to do this (add the backdoor and add itself to the c compiler) back in.

is there any particular reason you're listing a bunch of disproved (in some cases more than a decade ago) and lame-ass conspiracy theories? What does any of that crap have to do with anything, let alone a wifi security mode that nobody uses for more than 5 minutes when first setting up a router?

The NSA key was in NT4, therefore there is nothing like it any other version of windoze?

Some of these 'theories" are over ten years old, therefore they are not happening now?

The Ken Thompson hack of the compiler is very old but it does serve as an example of what can be done. Just remember that mickeysoft is showing the windoze source code to russian, uk and who knows what other secret agencies, I wonder if any of them are making 'recommendations' about the code?

Spying on telecoms traffic has being going on for years, and backdoors in systems have existed for years, and still do exist. There are even some national security agencies that complain to telecoms companies about encrypted traffic being routed through their country, how do they know the communications are encrypted?

FFS, even DES was fiddled with by the NSA to reduce the number of bits in the key, and when IBM found a way to crack it using differential cryptanalysis in 1974 they were asked to keep the method secret.

While most tech-savvy people will disable WPS, most people won’t, probably the same people that don’t use anti-virus, firewalls etc.

Windoze? Mickeysoft?

Sad. Old, unoriginal (of course,) and really, really, sad. I'm betting even your mother can't raise a charity smile when you crack a joke nowadays. Lots of people here appreciate your witty play on names, I'm sure, but then they're just as sad.

If "the last of the eight digits is just a checksum"...

... then there were only ever 10^7 combinations to try even for the full 8-digit number in the first place, not 10^8. Inaccurate of the guy to mention that the guessable 8th digit reduces the number of combinations to try in his attack but omit to apply the same adjustment to the raw brute force figures.

"If 'the last of the eight digits is just a checksum' then there's only 10^7 combinations..."

I've been thinking about this as well.

I guess if you know the checksum digit generation algorithm used, there would be only 10^7 combinations, but if you didn't know the formula for generating the checksum digit, then there would be 10^8 uniques, since you would have to test each last digit along with the other seven.

The same goes for the "upper-quad-then-lower-quad" PIN-probe attack described by the article (and my example, above): If you know the checksum algorithm, then the complexity is

-- -- 10^4 + 10^3 (11,000 guesses required)

but if you do not know how the checksum digit is calculated, then the complexity increases to

-- -- 10^4 + 10^4 (20,000 guesses required)

which is still a whole lot less than any threshold that can reasonably be considered "secure."

wps button

wps modes

The WPS button is unfortunately only one of possible connection modes under WPS. Others rely on a matching "PIN" - which obviously limits the effective security level of the device. This was intended for devices without a HW button, but it seems that it was an even worse idea than buttoned WPS.

There is no icon severe enough for this situation.

How on earth could anyone *ever* think this was even remotely acceptable? What makes this even worse is the attacker doesn't even have to bother to checksum the upper quad, only the whole number once the upper quad is known! Talk about head-banging crazy.

In real terms you'd be far more secure with a 'normal' 5 digit number!

@Will Godfrey

If this was log-in directly to your PC/account, then yes it would be a major fail of Windows95 proportions.

But in reality, the weakness is not as bad as that as all it gives them is access to your LAN and you should *NEVER* assume your LAN is a completely safe place.

OK, you probably have more lax firewall rules for 192.168.1.* or whatever, and they could be using your IP address for nefarious purposes, maybe even sending pr0n to your networked printer for the lutz.

But your own PC should be secured as if it is facing the wild wibbly west in any case, and all of your critical transactions done over https/ssh/etc. What I would be more worried about was users not changing the router's default password so they could change the DNS to a poisoned one...

Not just LAN access

If the default admin password hasn't been changed on the Router (common on most) then the attacker will next change the DNS server your router uses.

Then all your computers are vulnerable to Man-in-the-middle attacks even on HTTPS that can be forward to the real bank and echo back, so you see the "real" web page and do the transaction. When you log out the attack server ( man-in-the-middle via poisoned DNS) gives you a fake page, then it adds a transaction before logging you out.

@Oninoshiko

Most folk use DHCP so get the DNS from the router, usually passed-through from their ISP.

But in most cases you can manually set the DNS address in the router to use an alternative (OpenDNS etc) which is also what allows for much mischief if someone gets your router's login.

Hence my original point, your PCs, etc, should be secured as if it is exposed directly to the world, *AND* your router should be secured again an "inside job" where someone gets on your LAN. It could be this PIN weakness, but equally could be an infected PC.

> If the default admin password hasn't been changed on the Router (common on most) then the attacker will next change the DNS server your router uses. Then all your computers are vulnerable to Man-in-the-middle attacks even on HTTPS

No. HTTPS will then give a browser error message because either the signature on the MITM site certificate will have the wrong CN, or the signing chain will be wrong. SSL was designed with the assumption that DNS spoofing would be used as an attack.

Of course the users might ignore the error message, or the certification authority might have been hacked (see Reg passim), but that's not what you are talking about.

@Paul Crawford

" ... in most cases you can manually set the DNS address in the router to use an alternative ..." Unless, of course, you have a Virgin Media Superhub, which does not allow this unless you switch it to "Modem Mode" and add another wireless router to the tangle of wires.* Without that small modification, you are stuck with changing the DNS settings at the each device that you wish to connect to the outside world.

*No-one seems to know why this is the case. There are continuing rumours that the next firmware update will see to it, but there is no explanation as to why the option to change the DNS settings is missing.

@xj25vm

"How about just using WPA-PSK instead of WPS (or WPA with Radius)? Why the need for MAC address white list? And, isn't it possible to spoof a MAC address anyway?"

That is my thought as well. I've always disabled WPS as it seemed to be an unnecessary service to begin with. With difficult to type WEP keys, I could see WPS being useful, but what's the point if you have WPA2-PSK with AES enabled?

How about just using WPA-PSK instead of WPS (or WPA with Radius)? Why the need for MAC address white list?

Depends on what you are using it for.

If you are a typical user, then YES. The primary purpose of WPS is to make it so easy (and enabled by default, in most cases) to have some sort of wifi security that typical users will actually do so. MAC address white listing defeats that simplicity anyway, and ANY WPA variant is better than this.

On the other hand, some other uses of WPS include easy wifi config. This has been adopted somewhat heavily for use in wifi attached appliances. It's going to be harder to change those on a drop of a hat, so if you happen to be using those, you are probably stuck with MAC address white lists as your best choice.

MAC Whitelist?

Never recommend security practices that don't provide real benefit. Your MAC address can be obtained by packet sniffing, being an unecrypted part of the data. The attacker can spoof an address on the whitelist.

A whitelist makes the wireless network harder for legitimate users (e.g. visitors) to connect, but is no real obstacle to a hacker. Creating a false sense of security can lead to complacency that actually reduces real security.

MAC Whitelist?

> Never recommend security practices that don't provide real benefit.

Yes, it's easy to spoof a MAC but a MAC whitelist means your hacker has deliberately and consciously crossed the line into illegality. No longer can they claim they just switched their laptop on and Windows just connected automatically to your router.

"Yes, it's easy to spoof a MAC but a MAC whitelist means your hacker has deliberately and consciously crossed the line into illegality. No longer can they claim they just switched their laptop on and Windows just connected automatically to your router."

Just because something is illegal, it doesn't stop anyone from doing it.

It only offers you legal recourse, and then only if you catch them.

Once they've sniffed your packets, logged into your network and sucked out your IP, they're gone - no need to hang around after all that.

Shades of the crack for TOPS-20 passwords

You could setup the check password system call to be at the edge of allowable memory. If you got the character correct, you would get a memory fault. If you got password incorrect, the character at the edge was wrong, and you tried again. When you got a character correct, you moved everything over and attacked the next character. It was short work to get the correct password.

Of course this was before hashed/encrypted passwords and all that.

Moral of the story:

1) Absorb the entire password before checking it

2) If you have incorrect passwords, delay the response exponentially for each bad attempt.

The problem with delayed response after incorrect login,

is that it converts the security routine into a denial-of-service tool, which is another bad thing. An attacker can make the service unusable for legitimate users, and maybe persuade the network owner to reset the device to factory defaults, including default password.

I'd guess that someone originally intended to have only 4-digit PINs, someone else said "That's insecure, add some more digits", so they added some more digits in effectively the form of a second 4-digit PIN after you had got the first one right.

Oh dear

Why check the frist 4?

Write code to have the router always say the first 4 are correct, and do the real check when you have all 8. That should work with all current devices, break attack code that assumes the first guess is correct, and take 1000 times longer to guess all 7+1.

WiFi mouse...What were they thinking of?

Co-incidentally, I also see an article here about a Wi-Fi mouse reference design.

What where they thinking of? They were thinking of devices with very limited memory, power, processing power, and I/O capability. For example, a WiFi mouse.

Does your wireless mouse presently have an encrypted channel? No? WPS was intended as an achievable approach to what is still a very difficult problem.

Anyway, at present my devices have no encryption at all. We warn clients that they should only be used on an isolated network. At the moment, that means no WiFi, and encryption configuration problems is the first reason.

isolated network

still , if thats the deal you must save a whole load on AV and OS , and hassle of updates for both.

just throw i dunno NT4 on there, no AV , use the slowest cheapest CPU you can find and it'll run like lighning , doing , doing , well whatever it is that can be done without talking to any other machines.

Always hated it anyway

I hate WPS for another reason. Half my users think their operating system is Microsoft 2007. To give them a fine distinction between a 'WPS pin' and a 'WPA password' to deal with (and a whole different lot of associated dialogue boxes to navigate) is just asking for trouble. Aren't they confused enough (and aren't I busy enough) already ?

And therein lays the rub.

This is an epic fail by every engineer and security professional that has had anything to do with implementing the RFC's behind this. So much for the many-eyes approach. Perhaps it is time to do a serious review of all the implemented RFC's *before* we come up with more insecure crap?